vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-01 21:10:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

docs: add RBAC endpoints, OIDC group mapping, and update Pro terminology

Browse source 
- Add RBAC/role management endpoints to API.md
- Document OIDC group-to-role mapping feature in OIDC.md
- Add missing config files to CONFIGURATION.md (audit.db, AI files)
- Add OIDC_GROUP_ROLE_MAPPINGS env var documentation
- Fix "enterprise" -> "Pro" terminology in TROUBLESHOOTING.md
- Refocus TEMPERATURE_MONITORING.md on agent method, collapse legacy proxy docs
This commit is contained in:
rcourtman 2026-01-10 13:59:50 +00:00
parent a970a6e5ee
commit 80729408c1
5 changed files with 110 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

32
docs/OIDC.md
View file

@ -34,6 +34,38 @@ Restrict access to specific users or groups:
* **Allowed Domains**: Restrict to specific email domains (e.g., `example.com`).
* **Allowed Emails**: Allow specific email addresses.
### Group-to-Role Mapping (Pro)
Automatically assign Pulse roles based on OIDC group membership. When a user logs in, Pulse checks their groups claim and assigns the corresponding roles.
**Configuration via UI:**
Go to **Settings → Security → Single Sign-On → Group Role Mappings** and add mappings like:
- `oidc-admins``admin`
- `oidc-operators``operator`
- `oidc-viewers``viewer`
**Configuration via Environment:**
```bash
# Format: group1=role1,group2=role2
OIDC_GROUP_ROLE_MAPPINGS="oidc-admins=admin,oidc-operators=operator"
```
**How it works:**
- On each login, Pulse reads the user's groups from the configured groups claim.
- For each group that matches a mapping, the corresponding role is assigned.
- Multiple groups can map to multiple roles (user gets all matching roles).
- Role assignments are updated on every login to reflect current group membership.
- Role changes are logged to the audit log for compliance tracking.
**Example:**
If a user has groups `["oidc-admins", "developers"]` and you have mappings:
- `oidc-admins``admin`
- `developers``operator`
The user will be assigned both `admin` and `operator` roles.
> **Note**: Ensure your IdP includes the `groups` scope and that the groups claim is properly configured. Some providers use `groups`, others use `roles` or custom claims.
### Long-Lived Sessions with `offline_access`
For persistent sessions that don't require frequent re-authentication: